L2TP/IPSec behind NAT

Hi, I’have RB951G behind RouterOS 6.42.1 and firmware version 3.33.
It’s behind cable modem from the cable TV. I’m struggling to make L2TP/IPSec VPN behind NAT. I have forwarded on the modem ports 1701, 8291, 4500, 500, 50, 51 and 47. Mikrotik has internal address 192.168.0.10.
Here’s configuration

/ppp profile
set *FFFFFFFE bridge=bridge dns-server=192.168.1.1 local-address=192.168.1.1
remote-address=default-dhcp use-mpls=no use-upnp=yes

/ppp secret
add name=pnikolov password=“**********” profile=default-encryption service=
l2tp

/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=accept chain=input dst-port=80 protocol=tcp
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=input dst-port=8291 protocol=udp
add action=accept chain=input dst-port=1701,500,4500 in-interface=ether1
protocol=udp
add action=accept chain=input in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input in-interface=ether1 protocol=ipsec-ah
add action=accept chain=input in-interface=ether1 protocol=gre
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=output disabled=yes new-connection-mark=
WAN1-conn out-interface=ether1 passthrough=yes src-address=192.168.1.0/24
add action=mark-connection chain=output disabled=yes new-connection-mark=
WAN2-conn out-interface=ether2 passthrough=yes src-address=192.168.1.0/24
add action=mark-packet chain=input disabled=yes in-interface=ether1
new-packet-mark=WAN1-conn passthrough=yes
add action=mark-connection chain=input disabled=yes in-interface=ether2
new-connection-mark=WAN1-conn passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN1-conn disabled=
yes in-interface=bridge new-routing-mark=route_to_Mtel passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2-conn disabled=
yes in-interface=bridge new-routing-mark=route_to_4G passthrough=yes
add action=mark-connection chain=input connection-state=new disabled=yes
in-interface=bridge new-connection-mark=WAN1-conn nth=2,1 passthrough=yes
src-address-type=“”
add action=mark-connection chain=input connection-state=new disabled=yes
in-interface=bridge new-connection-mark=WAN2-conn passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ether2

/ip ipsec peer
add dh-group=modp1024 enc-algorithm=aes-256,aes-192,aes-128,3des
exchange-mode=main-l2tp generate-policy=port-override passive=yes secret=
“*********”

On the modem I have configured VPN passthrough - IPSec and PPTP.
ether1 is my primary WAN. I want to configure L2TP because of the better speed I have for transfers over OpenVPN and SSTP. When I try to connect with Windows VPN connection (Win 10) it says connecting… and it can’t connect. Where’s my mistake?

Also you need to redirect the protocol ipsec-esp, is not only UDP and TCP… also you need to redirect THIS protocol

There is VPN Passthrough enabled in the modem. But, I see in port forwarding options only for TCP and UDP.

You mention “On the modem I have configured VPN passthrough - IPSec and PPTP” but trying to configure L2TP, I would assume you will need to configure L2TP passthrough on the modem, if it is not there, then it is not supported on the modem and will not work

Last chance is to configure VPN on the modem itself and try make it work with Win 10 client. Or maybe configure PPTP on the Mikrotik, which is not very secure. I’m waiting my ISP to bring me optical cable and then I will have public IP on Mikrotik itself. But I have some issues with them unfortunately. I’m going to try with PPTP.

Please confirm that the modem/router where you’ve configured the passthrough mode has a static public IP address.

If so, it is enough to forward ports 500 and 4500 to Mikrotik’s WAN address, but you have to do an ugly trick, put up the public IP address of the modem also on a portless bridge on Mikrotik, use dst-nat rules to redirect incoming connections to UDP ports 500 and 4500 to that address, and link the peer to that address using the local-address item.

The embedded client of Windows normally doesn’t handle a situation where the “server” (responder is the proper name in IPsec vernacular) is behind a NAT; by doing what I’ve described above you hide this from the client because the IP address of the responder as sent inside its packets is the same like their L3 source.

However, if the Windows client itself would be on a public IP address, this trick would cause the IPsec connection to establish using ESP, which many modems wouldn’t NAT properly.

I have configured PPTP and make it work. Modem is Technicolor EPC3928S . It has PPTP passthrough and I think for now we’ll try with it.
One issue is that I don’t have ping in the LAN and I don’t see other computers. I’ll let you know if I managed to do everything. This is only client to server connection. I need to make site-to-stie VPN.

PPTP is anything but secure

For now - PPTP is the only option. I’m trying with another option.